290 likes | 421 Views
Architecture Analysis of Evolving Complex Systems of Systems Technical Presentation Software Assurance Symposium 2008. Principal Investigator (PI): Dr. Mikael Lindvall, FC-MD NASA POC: Sally Godfrey, GSFC
E N D
Architecture Analysis of Evolving Complex Systems of SystemsTechnical PresentationSoftware Assurance Symposium2008 Principal Investigator (PI): Dr. Mikael Lindvall, FC-MD NASA POC: Sally Godfrey, GSFC Team members: Chris Ackermann, Dr. Arnab Ray, Lyly Yonkwa, Dharma Ganesan (FC-MD)William C. Stratton, Deane E. Sibol (APL) Fraunhofer Center for Experimental Software Engineering Maryland (FC-MD) Fraunhofer Institute for Experimental Software Engineering (IESE) Johns Hopkins University Applied Physics Laboratory Space Department Ground Applications Group (APL)
Outline • Motivation • Background: (static) SAVE • Dynamic SAVE Vision • Dynamic SAVE examples • Applicability Throughout the Life Cycle
Problem/Approach • Systems are often difficult to understand • Systems of systems adds to the challenge • Makes system verification difficult • Interfaces often source of problems • Approach • Architecture analysis focusing on interfaces • The new tool, Dynamic SAVE, • extends the already existing static Software Architecture Visualization and Evaluation (SAVE) tool
Background: The (static) SAVE ToolSoftware Architecture Visualization and Evaluation • Does the actual implementation match the planned architecture? • Define a planned architecture • Create an actual architecture from source code • Identify architectural violations through comparison • Applied to APL’s Common Ground System, Research Infusion project • Conclusions (Aerospace 2007) • The SAVE approach is useful and practical • One can quickly model, visualize, analyze, find static architecture violations • Good for single software applications • But for systems of systems, some questions remain unanswered…
A Planned Architecture Application-Specific Modules Encapsulation of client/server interface Encapsulation of socket communications
The Actual Application Architecture Where’s socket implemented?
Dependency in planned, not in actual Dependency in actual, not in planned But, who does socket communicate with? The Actual Architecture vs. The Planned
Client Server The Common Ground System
Dyn-SAVE Vision Compare Planned and Actual Behavior TelemetryClient Form Actual Behavior Specify Planned Behavior Capture Dynamic Information Specify Level of Abstraction For analysis TelemetryServer • Who does socket communicate with? • Is communication according to specification? • Check Sequences, Parameters, Values, Timing
DynSAVE in practice These systems all have ICDs (Interface Control Documents) The Common Ground System
Focus on:Interface Control Documents • NASA systems often developed by different teams • Interface Control Documents (ICD) is key, but • ICDs often interpreted differently because • ICDs implicit, lack important details etc. • Cause subtle critical deviations from specified behavior • Deviations difficult to detect • Emerging behavior difficult to predict • Can result in severe problems, e.g. lost data, performance • Need to • Detect deviations before deployment • (Specify expected and actual behavior before creating ICD!)
Some Research Questions • Sequence diagrams • Can we use sequence diagrams to model, abstract, and detect such deviations? • Can sequence diagrams express what we need? • Iterative modeling • Can we start with abstract models, add details as necessary?
Approach • Collect concrete examples from APL • Model planned behavior • Use specification from ICD • Capture actual traces • Use Archive_Server and Eng_Dump • Generate Client scenarios, observe how Server responds • Identify common patterns
Planned sequence diagram The “simplest” diagram that describes the planned communication behavior described in the ICD
Example 1: Illegal filter An illegal extra filter is sent after BeginPlayback and Data messages have been sent. The illegal filter is difficult to detect because it is in packet 869.
Detailed sequence diagramexperimental notation 1. Start time must be less than stop time 2. Data type of each of the received data messages must match specification
Example 2: Illegal Type specification =STF) STF ordered – STP received.
CFDP – A Mission Data System Protocol • CFDP provides reliable downloads of recorded on-board data • The implementation is distributed across flight and ground systems • The protocol runs on top of unreliable CCSDS command and telemetry layer • At APL, CFDP is mostly automated, but… • Operators turn off CFDP uplink during critical command load sequences • Operators freeze and thaw timers - pending transactions don’t time out between contacts • Improper CFDP operation can lead to unnecessary retransmissions, wasting precious downlink bandwidth
DynSAVE monitoring of CFDP • Monitors macro-level behaviors without affecting flight or ground software • Detects improper CFDP operation, for example: • timers were not frozen and uplink was disabled on the ground for an extended period, causing multiple retransmissions when the uplink was finally enabled again • Detects issues in CFDP implementation, e.g.: • sender continues to send file data after the transaction has been cancelled • These types of behaviors can go undetected (file transfers still work) but are important to detect (they can result in data loss!) X X DynSAVE
Planned CFDP Sequence Sample Rules: Check that received FD are not NAKed Check for duplicate FDs Check that we have all FDs upon FIN
Actual CFPD Sequence Needed FDs: 502 Sent FDs: 840 Potential Waste: ~70%? – Further analysis needed.
Zoom in on CFDP sequence Rule 2 Violation: duplicate FDs!
Life Cycle Support Initial use of Dyn SAVE System Architecture Use DynSAVE to Specify and Test Communication Add to ICD Sub-System Development Use DynSAVE to Develop and Test based on ICD System Integration and Test Use DynSAVE to test based on ICD
Create System Architecture Client Server No Server, No Client Exist Use DynSAVE to • Specify Planned communication • Sequences • Parameters, Values • Timing constrains • Create Tests • Correct, Incorrect behavior • Specific incorrectness • Automatically generate defects • Ensure that communication protocol can handle all tests • Add Diagram, Specification, Tests to ICD • “Generate” information for ICD Communication
Status • Dyn-SAVE works for telemetry protocol • Currently adding functionality to evaluate CFDP protocols • Applying Dyn-SAVE to APL’s systems • We’d like to apply to other systems
Summary • Analyze, Visualize, and Evaluate • structure and behavior using • static and dynamic information • individual systems as well as systems of systems • Next steps: • Refine software tool support • Use approach to review, improve ICD • E.g. add planned sequence diagrams, rules to ICD • Apply to other systems to get feedback